Hello Jody,
Please provide the output of `iptables-save`, and the output of `ipsec
statusall` once you tried to access the internet, but while the client is still
connected.
Kind regards
Noel
Am 02.08.21 um 20:26 schrieb Jody Whitesides:
Having trouble trying to understand why VPN would suddenly stop allowing
traffic to the internet (despite no changes to the server and was working fine
for months). Devices can connect to the VPN and logs show they connect.
However, they no longer get traffic to the internet or to the server itself.
Unfortunately I don’t understand the logs enough to know the direct reason, but
I’ve included some connection logs after the config. Any help that can lead to
a fix would be appreciated.
Here’s the config:
config setup
charondebug ="dmn 1,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 1,lib
1,enc 1,tnc 1"
uniqueids =no
conn %default
# ike =aes256-sha1-modp1024,3des-sha1-modp1024!
# esp =aes256-sha1,3des-sha1!
fragmentation =yes
auto =add
dpdaction =clear
dpddelay =40
dpdtimeout =130
ikelifetime =1h
lifetime =1h
margintime =9m
rekeyfuzz =100%
# rekey =yes
aggressive =no
forceencaps =yes
left =%any
leftid =(serverIP)
leftcert =(link to cert)
leftsendcert =always
leftsubnet =0.0.0.0/0,::/0
right =%any
rightid =%any
# rightauth =eap-mschapv2
rightdns
=45.76.254.23,172.98.193.62,2001:19f0:5401:2a4a:5400:03ff:fe2b:271f
rightsourceip =10.10.10.1/24
rightsubnet =%dynamic
#conn mac
# keyexchange =ikev1
# authby =xauthpsk
# xauth =server
# reauth =yes
conn ios
ike =aes256-sha1-modp1024,3des-sha1-modp1024!
esp =aes256-sha1,3des-sha1!
keyexchange =ikev1
mobike =yes
reauth =yes
rekey =yes
leftallowany =yes
lefthostaccess =yes
leftfirewall =yes
leftauth =pubkey
rightallowany =yes
rightauth =pubkey
rightauth2 =xauth
rightfirewall =yes
rightcert =(link to cert)
conn ikev2-vpn
ike
=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes128-sha1-modp1024,aes256-sha1-modp1024,3d>
esp
=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
keyexchange =ikev2
type =tunnel
compress =no
rekey =no
rightauth =eap-mschapv2
rightsendcert =never
eap_identity =%identity
Here’s the Log:
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[NET] received packet: from
[IP of Device][500] to [IP of Server][500] (848 bytes)
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] parsed ID_PROT request
0 [ SA V V V V V V V V V V V V V V ]
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received NAT-T (RFC
3947) vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received XAuth vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received Cisco Unity
vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received FRAGMENTATION
vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received DPD vendor ID
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] [IP of Device] is
initiating a Main Mode IKE_SA
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] generating ID_PROT
response 0